I reported in April of this year that in early 2012 Singapore may introduce legislation to protect consumer data. On 13 September, the Ministry of Information, Communications and the Arts (MICA) released a public consultation paper on the proposed consumer data protection regime, which is scheduled for debate in Parliament sometime in the first quarter of 2012. The consultation paper covers the following key parts:
- Background, giving the overview of the current data protection regime and the need for a general data protection regime
- The proposed consumer data protection framework including key objectives and principles, scope of coverage and rules and exclusions
- The implementation component including penalty and enforcement regime, regulations, code of practice and guidelines, transitional arrangements
- A proposed Do-Not-Call Registry
While it is beyond the scope of this report to provide any meaningful analysis, the following are the salient points of the proposed general data protection regime.
- The Government recognizes that there is no general law on personal data protection, and the proposed regime seeks to protect an individual’s personal data balanced against the need for an organization to collect and process such data for legitimate purposes.
- The proposed regime seeks to be a baseline law to operate concurrently with other existing legislative frameworks and not to replace them. A prime example would be the current regime on banking, which may impose a higher requirement on the protection of personal data.
- The proposed regime is applicable only to all organizations except the public sector. Just as with Malaysia’s current data privacy regime, the government herself is excluded from application of the proposed regime.
- As one of the key objectives of the proposed regime is to enhance the Republic’s role as a trusted hub for data management, it will be developed based on the current self-regulatory Model Code, which in turn is based on the OECD Guidelines on the Protection of Privacy and Trans-Border flow of Personal Data. The other reference points for the proposed regime include the APEC Privacy Framework, and EU, UK, Hong Kong, Canada and New Zealand data protection regimes;
- A Data Protection Commission (DPC) will be proposed to oversee the execution of this regime. It will take a complaint-based rather than a more stringent audit-based approach. The DPC will investigate non-compliance to the proposed regime, and an organization can be fined up to SGD 1 million dollars (approximately USD $805,000) for non-compliance.
- MICA is proposing a Do-Not-Call Registry, where an individual is able to register his phone numbers to opt out of unsolicited telemarketing calls, “SMS” and fax messages with the exception of electronic mails, as they can be filtered out by the appropriate software.
In relation to the proposed regime, MICA seeks public comments on the following issues:
Its objectives and the principles
The definition of personal data
The organizations and activities covered
The proposed general exclusions
The rules on collection, use and disclosure of personal data, including those deceased
The rules on accuracy, protection and retention of personal data
The rules on access to and correction of the personal data
The penalty, enforcement and transitional arrangements, such as the required “sunrise” period
The National Do-No-Call Registry
The long-awaited proposed regime to protect personal information has finally arrived amid calls from the public to protect the invasion of consumers’ privacy, especially from intrusive marketers. Privacy advocates will certainly respond to the call for comments on these key issues, such as exclusion of the public sector from the regime without a similar and parallel regime to regulate that sector; the effectiveness of a complaint rather than audit regime approach, and the need for the consumer to opt in to the Do-Not-Call Registry, all by 25 October 2011.